• About CSCIC
• Cyber Corner
• Library
• Public Private Partnership
• Critical Infrastructure
• Calendar
• Conferences

Home / Conferences

Home

Agenda

Keynote

Sessions

Presenters

Academic Symposium

Accomodations

Driving Directions

Parking Directions

12th Annual 2009 NYS Cyber Security Conference
Empire State Plaza Convention Center - Albany, NY
June 3 - 4, 2009

Session Descriptions

Select Presentations and Handouts are Available Below

Wednesday, June 3, 2009

Defensive Measures
Executive Issues
Best Practices & Standards
Incident Response
Network Security
Challenges
Academic Symposium

Thursday, June 4, 2009

Web Application Security
PCI & Privacy Issues
Threat Report
Frameworks for Success
Network Security
Internet Security
Executive Issues
Risk Management
Academic Symposium

 

Defensive Measures

Threat Modeling Express
Nischal Bhalla
Security Compass
Intermediate
Project Managers, Programmers, Information Security Personnel, Auditors, Technical Staff, Web Developers
Time: 10:45am - 11:45am

The benefits of threat modeling at the design stage of software development are well-documented, yet few organizations are able to perform this analysis technique due to time constraints. Based on our experience in real world situations, Security Compass has developed a one day approach to threat modeling based loosely on a Facilitated Risk Assessment Process (FRAP). Threat Modeling Express aims to take a proactive approach to security in the design and architecture of web applications. In this presentation, learn how to create a "quick and dirty" application threat model for web applications using an organization's most valuable resource: its people.

Emerging Internet Security Threats: Precision, $$s and Malware
Lenny Zeltser
Savvis Inc and SANS Institute
Non-technical to Technical
ALL
Time: 1:40pm - 2:40pm

Financial incentives are encouraging attackers to invest significant money and efforts in powerful techniques for breaching enterprise defenses. Now that fortune, rather than fame drives these attacks, it is critical to keep abreast of the latest attack trends.

In this presentation, Lenny Zeltser explores today's emerging internet security threats to help organizations fine-tune their defenses. Zeltser examines attack patterns that include the use of email as a gateway for fraud, the mighty power of network bots, the fertile ecosystem for web-based attacks, and the increased precision of modern attacks. The presentation presents many real-world examples of cyber attacks and discusses the financial incentives behind the malicious activities that occur on the internet. Attend and discover:

• What is driving modern-day attackers to large-scale and targeted attacks
• Which recent breaches exemplify threat categories organizations need to track
• The approaches Internet criminals employ to trick victims and bypass defenses
• Whether you should adjust security architecture to match today's threat landscape

Inside the Mind of a Hacker
Dave Chronister
Parameter Security
Non-technical to Technical
IT Directors, Network Administrators, System Administrators, Information Security Professionals,
Auditors, Lawyers, Executives, CIOs, Mainframe Administrators, Non Technical Managers, Technical Staff
Time: 3:00pm - 4:00pm

Certified Ethical Hacker and Owner of Parameter Security, Dave Chronister, reveals what really goes on inside the minds of hackers. While their motives are many and their tactics are numerous, who really are these malicious hackers and what do they really want (you might be surprised.) Discover the ever-changing tactics hackers use to gain access to your network, how they successfully pull-off a hack without a trace, ways they get in without touching your technology and more. Plus, witness a real-world, simulated attack using a Trojan from the hacker's perspective and what they can do once inside your network. Chronister will also cover competitive intelligence, social engineering and most importantly, how to protect yourself from these malicious attacks via best practices that can be implemented immediately.

Executive Issues

Malicious Activity Insight and Prevention
Tim Wilde
Team Cymru, Inc.
Intermediate
All
Time: 10:45am - 11:45am

Team Cymru monitors and analyzes a wide variety of malicious activity on the Internet. Through these actions, we have gained a wide range of insights into the patterns of online crime, and have formulated a number of ideas and techniques to help avoid or even prevent malicious activity from taking place within your network. This session will discuss the type and character of malicious activity, including visualizations of that activity, and provide high-level suggestions and strategies for protecting systems, networks, and people from this activity.

Security Management under Crisis Conditions
Michael Corby
M Corby & Associates, Inc.
Non-Technical
IT Directors, Information Security Professionals, Executives, CIOs
Time: 1:40pm - 2:40pm

This session will go through several alternatives to maintaining an effective and compliant security program despite changing budget limitations and staff reductions. Success in the past several years has depended to a great degree on how well your program can weather the requirements to cut spending and headcount in response to the almost universal economic downturn. Mr. Corby will provide a roadmap for responding to Board and Executive demands for reducing security budgets. Many of the tools and techniques will actually provide for permanent changes that can reap eternal benefits. Others will provide you with effective measures to keep a program (and your career) on track until the recovery happens.

The Common Sense Guide to Protecting Yourself from Hackers, Employees & the Government
Ken Michael
Dox Electronics
Non-Technical
All
Time: 3:00pm - 4:00pm

The presentation will show real life scenarios on issues that businesses of all sizes are facing, and will provide simple steps to mitigate their risk. Attendees will come away with a checklist of concepts and potential areas of concern that deal with security and other common problem areas.

• New Emerging Threats
• Social Engineering
• The "Onion" Model: setting up layers of defense
• Current Industry Regulations
• Today's Threats: an Executive management perspective versus an IT management perspective
• Why you need help from your Management
• Key Countermeasures for Executive Management and IT Staff

Best Practices & Standards

APWG Initiatives to Make Life Harder for the Phishers
Patrick Cain
APWG (antiphishing.org)
Intermediate
IT Directors, Educators, System Administrators, Information Security Professionals, Executives, CIOs, Technical Staff, Law Enforcement Personnel
Time: 10:45am - 11:45am

This session will provide a current view of phishing and fraud activities in the world, including trends and recent successes. Other Initiatives will be discussed that respond to e-crime events, including a standardized redirection web page for disabled phish sites, an effort to provide guidance for e-crime evidence collection, and an overview of a proposed standardized data sharing format.

An Opportunity for New Models of Collaboration for Security: Why Public - Private Coordination Doesn't Exist --- But Will!
Peter Allor
IBM
Non-Technical
ALL
Time: 1:40pm - 2:40pm

Sharing is passé. We require new models of collaboration for better securing of the environment, with collaboration of organizations to help the public and private sector is desperately needed. What is the landscape we are dealing with? What are the ways to deal with these potential threats as a part of cross-organizational collaboration for protecting networks and critical infrastructures? The realistic way to do that is the partnering of solution sets; creating communities of interest.
Whether public or private sector, organizations are constantly struggling to keep up with security issues and counter-measures in a constantly changing environment. All sides, from public to private sector entities feel that no one is addressing cyber issues and providing enough information to all regarding cyber attacks and warfare that are real and happening now!

Attacks are ongoing now and of serious immediate consequence (physical, logical and virtual) and attacks are in layers and across platforms/applications/networks. The expertise is assumed in government on cyber issues and the expertise in the private sector is resident as it is in each organization's IP and networks. How can entities and corporations share their expertise and knowledge relating to security so that ALL sides benefit from the same data and experience? Not everyone can be in the same small tent and have trust and no one is sure of the scope or all methods. There have been lots of discussion and past attempts regarding examples and models of sharing on existing issues, but having everyone work the same aspect does not make collaboration.

There is a need to focus on the goal, not the control of collaborating to protect all types of cyber-security. In this session Mr. Allor will explain the need for a larger group sets from all sectors to work the problem's sub sets to a fruitful solution. He will go into details on the issues affecting us all and detail the importance of collaborating over sharing. There are so many subsets of knowledge that if they were worked on as a whole they would address the constantly evolving security threats felt by all.

Mr. Allor will explain:

• Why we need to work from an overarching view
• Why we need sub-sets to work from an equal footing
• How the problems are global in response and the answers, and thus collaboration can be global in nature
• Solutions to cyber-security issues come in phases and degrees, based on knowledge and delivery/implementation
• The government has asked for ISACs / information sharing mechanisms, then did not endorse or support them
• Info-sharing (collaboration) has happened haphazardly for nearly a decade, but it needs to work!
• Why we do not need everyone to work each of the details of a sub-set, but we need to share information from all of these sub-sets
• The government and the private sector are keen on pointing fingers and saying it's broken, but no one is delving in to the reason why, we will here

Never Let a Crisis Go To Waste
Anthony Hernandez and Mike Barba
SMART
Intermediate
IT Directors, Information Security Professionals, Executives, CIOs, Non-Technical Managers, Technical Staff

Everyone is fully aware that our country is in the midst of the deepest economic recession in over eighty years. Almost every organization has been hit hard by the collapse and as a result they have eliminated thousands of jobs and slashed budgets. For many, however, the slowdown presents an excellent opportunity to reduce operational costs by investing in technology and to work on information privacy and compliance initiatives. Topics discussed will include:

• Breakdown of the financial crisis and its impact on information security
• verview of existing regulations, including the Payment Card Data Security Standard (PCI-DSS), the Fair and Accurate Credit Transactions Act (FACTA), the Health Insurance Portability and Accountability Act (HIPAA) and specific NYS Information Privacy Legislation
• Using Risk Management techniques to reduce costs
  

Incident Response

Building a Cyber Security Operations Center
Randy Marchany
VA Tech IT Security Office & Lab
Intermediate
Computer Forensic Specialists, IT Directors, Network Administrators, System Administrators, Project Managers, Programmers, Information Security Professionals, Technical Staff
Time: 10:45am - 11:45am

VA Tech is building a Cyber security Operations Center that serves as a clearinghouse for its varied intrusion detection, intrusion prevention, antivirus and other cyber security initiatives. This clearinghouse is used by IT Security analysts to monitor, detect and respond to cyber attacks against the VA Tech computers and network. This presentation discusses how we're building it using a combination of commercial and freeware software.

Computer Network Simulators Advance Cyberspace Protection
Christian Espinosa
EADS North America Defense Security and Systems Solutions, Inc
Intermediate
Computer Forensic Specialists, Educators, IT Directors, Network Administrators, System Administrators, Project Managers, Information Security Professionals, Auditors, Lawyers, CIOs, Technical Staff
Time: 1:40pm - 2:40pm

Cyberspace technology is evolving at a rate never before seen before. As quickly as one advance is fielded to protect networks, malicious adversaries are at work finding vulnerabilities in that technology. To counter threats and provide the best possible defense for vital national computer networks, fusing technology and people is paramount. Network Professionals must understand the menace to detect, recognize, and mitigate threats. A Network and Training Simulator is the answer. Simulators provide a risk-free environment to: develop the knowledge and skills needed to deploy protective countermeasures; validate tactics, techniques, and procedures; evaluate advancements in network technology.

DS3 will present network operations and computer network defense lessons learned and best practices we have gathered over the last 6 yearsfrom the use of network simulators. This information was gathered whileparticipating in and controlling exercises and training events andevaluatinghardware and software configurations for the Department of Defense.

Incident Response Using Open Source Forensic Tools
Thomas Hurbanek
NYS Digital Forensics Workgroup
Advanced
Computer Forensic Specialists, IT Directors, Network Administrators, System Administrators, Project Managers, Programmers, Information Security Professionals, Technical Staff
Time: 3:00pm - 4:00pm

Members of the NYS Digital Forensics Workgroup are collaboratively exploring the use of open source forensic tools for Incident Response. The goal is to identify how these tools can be effectively put to use in NYS agencies. The results of this 4 month long exercise, including best practices, lessons learned, and forensic scenarios will be the basis of an interactive session and demonstration.

Network Security

Ensuring Network Protection While Meeting Compliance in a Cyber Threat-Friendly Economy
Ken Pappas
Top Layer Security
Intermediate
IT Directors, Network Administrators, System Administrators, Information Security Professionals, Auditors, Lawyers, Executives, CIOs, Educators, Technical Staff, Law Enforcement Personnel, Web Developers
Time: 10:45am - 11:45am

This year's session will go more into detail about how organizations can better meet various compliance requirements through improved network security in a down economy. With the rise of a variety of compliance requirements, including PCI, GLBA and HIPAA, and today's weakened economy; organizations have never been more sensitive to the effects of a data breach or denial-of-service (DoS) attack. To make matters worse, a poor economy can serve as a breeding ground for new hackers forced into using their IT skills maliciously for financial gain. The last year has seen the rise of website exploits such as SQL injection attacks and clickjacking as hackers increasingly focus on social networking sites to target millions of users. Meanwhile, time-tested forms of malware such as the worm continue to find new ways to propagate with the ability to grow botnets or fuel SPAM - the Conficker worm, for example, quickly grew this past winter to infect between 2 and 10 million computers. As there are a variety of vulnerabilities to a network, a variety of complementary technologies can be integrated to provide the best defense. This session explores the latest attacks from hackers in 2009 and shows how the best network defense is not a single technology solution through a silver bullet, but rather a pervasive security approach that creates an ecosystem of technologies, including Intrusion Prevention Systems, Firewalls, NAC, Event Correlation, SIEM and others. Attendees will learn how these technologies can be integrated to enhance each other and allow companies to address the variety of compliance requirements facing them, while protecting their organization from costly disruptions caused by cyber attacks.

Creating Effective Security Controls: A Ten Year Study Of High Performing IT Security Organizations
Gene Kim
Tripwire, Inc.
Intermediate
Educators, IT Directors, Information Security Professionals, Auditors, CIOs
Time: 1:40pm - 2:40pm

In 2009, due to high-profile information security failures, there is more external pressure than ever for security and compliance. And yet, even when information security is adequately funded, there is an uncomfortable question that needs to be answered: why does information security so often fail to effectively prevent and quickly detect and recover from security breaches?

We believe that the root cause is failing to effectively integrate information security into the daily work of IT operations, software/service development, compliance, project management and internal audit. Within compliance alone, government agencies struggle to meet internal compliance requirements and/or regulatory compliance mandates. When this occurs, information security is often labeled as shrill, hysterical, irrelevant, bureaucratic, difficult to understand, not aligned with the rest of the agency, perpetually focused on irrelevant technical minutiae, and so forth.

This presentation will discuss 10 years of research and benchmarking of 1,000 organizations by the IT Process Institute, that uncovered the 20% of IT controls that deliver 80% of the performance improvement, as well as creating a sustainable and secure controls environment. While many organizations leverage guidance from the Center for Internet Security (CIS) and the Defense Information Systems Agency's (DISA) Security Technical Implementation Guides (STIGS), we will also present the Security Visible Ops methodology, providing four prescriptive steps on how to design and operate these controls, and integrate security controls into IT operational, software development and project management processes.

Defense-in-Depth: Anti-Virus Strategies
Chris Lohret and Ian Morrison
Microsoft Corporation
Intermediate
Technical Staff, Web Developers, Network Administrators, System Administrators, Information Security Professional
Time: 3:00pm - 4:00pm

Although many organizations have deployed antivirus software, new viruses, worms, and other forms of malware (malicious software) continue to rapidly infect large numbers of computer systems. There is no single reason for this apparent contradiction, but fundamental trends are apparent from feedback Microsoft has received from IT professionals and security staff in organizations whose systems have been infected, including such comments as:

• "The user executed the attachment from their e-mail even though we've told
  them again and again that they aren't supposed to…"
• "The antivirus software should have caught this, but the signature for this virus hadn't been installed yet."
• "This never should have made it through our firewall; we didn't even realize
  those ports could be attacked."
• "We didn't know our servers needed to be patched."

The success of recent attacks illustrates that the standard approach of deploying antivirus software to each computer in your organization may not be sufficient. Recent outbreaks have spread with alarming speed, faster than the software industry's ability to detect, identify, and deliver antivirus tools that are capable of protecting against attack. This presentation will review Microsoft Patterns and Practices around defense-in-depth strategies to combat malware.

Challenges

Hacking... without Buffer Overflows
Mike Zusman
Intrepidus Group
Intermediate
IT Directors, Information Security Professionals, CIOs
Time: 10:45am - 11:45am

"Hacking" as seen in the real world today has evolved beyond finding vulnerable servers on the Internet and compromising them using buffer overflow exploits, as was the case a few years ago. Today, attackers are using methods that blend in with normal activity and are thus harder to detect e.g. Google Hacking and Spear Phishing. This presentation will discuss the evolution of the hack and how Google Hacking and Spear Phishing are being used to cause significant damage to organizations (and even countries), while staying below the radar. I will discuss real world cases and statistics from empirical data to substantiate my presentation.

Acquiring Computer Communications: Often a Treacherous Task
Steve Treglia
Office of the Nassau County District Attorney
Non-Technical
ALL
Time: 1:40pm - 2:40pm

You are provided a printout of a communication that was transmitted digitally over a computer network or the Internet which contains evidence of wrongdoing. Can you use it as evidence in a civil or criminal proceeding or use it for administrative sanctions against an employee?

Due to a jumbled confluence of federal and state constitutional, statutory and case law, the answers become invariably complex because they depend on many different factors. Moreover, the slightest variation in the fact pattern can immediately flip the answer, like a light switch, in the opposite direction. Ironically, the rapid manner in which technology evolves and morphs and the way it contrasts so dramatically with how democracy operates so ponderously, with its need for general awareness of impending consequences and consensus of the appropriate response, has created a tremendous tension for those who have to act with such an uncertain body of legal precedent.

This lecture analyzes the law for the issues that have been already addressed by our legislature and courts and speculates where the law might be headed for those issues that have not yet been addressed. This lecture will even point out some of the legal dangers that lurk in the currently uncharted waters that lie shortly ahead of all of us.

Motivating People to Adopt Information Security Practices in Organizations
Joseph Treglia
Syracuse University - School of Information Studies
Non-Technical
Network Administrators, System Administrators, Project Managers, Information Security Professionals, Executives, CIOs, Mainframe Administrators, Educators, Non Technical Managers, Technical Staff, Law Enforcement Personnel
Time: 3:00pm - 4:00pm

People within organizations are the implementers of cyber and information security practices. Tools and technology are available which can stop cyber attacks and malicious incidents within agencies and also reduce losses and speed recovery. The greatest failure of these systems lies in the human elements. Strategies and processes have been identified that improve the human performance and acceptance of security related activities. This session will highlight the current work in this area so that agencies may implement policies and practices that will more likely be adopted by the people within the organizations. We also identify managerial activities that promote integrity and policy compliance within the workforce.

Symposium Track

Session I: Invited Talk
Chair: George Berg, UAlbany
Title: Russian Cyber Warfare and the Magic of Misdirection
Speaker: Jeff Carr , Greylogic
Time: 10:45am - 11:45am

The way that the Kremlin conducts its cyber warfare operations is akin to the way a magician fools his audience - through the use of misdirection. This presentation will include a survey of Russian military doctrine related to information warfare including a Russian Colonel's recounting of the Georgian cyber campaign of 2008. It will particularly examine the careful use of words as a tool of misdirection and compare it with the same technique used in "The Tuned Deck" as described in Daniel Dennett's paper "The Magic of Consciousness". This presentation will also explore the misdirection of a free Russian Internet with the reality of an aggressive anti-Kremlin counter-research operation whose remit from Moscow is to "Ensure the domination of pro-Kremlin view on the Internet" and how that policy is enforced through the enlistment of Russian youth organizations; the same organization that was involved in the Estonia and Georgia cyber conflicts. Finally, this presentation will detail how one anti-Georgia Web forum was deliberately designed to obfuscate GRU/FSB involvement through the use of blacklisted hosts and Spam servers. The success of Russia's use of misdirection continues today as many Western security experts struggle to attribute the work of Russian hackers back to the Kremlin.

Session 2: Security Management
Chair: Raj Sharman , University at Buffalo, SUNY
Paper: Behavior Targeting and the Modeling of Economic Compensation for Accessing Private User Behavior Information
Author: Daniel O. Rice , Loyola College
Time: 1:40pm - 2:40pm

Behavioral targeting uses web technologies to tailor direct marketing efforts in order to increase the efficiency of online marketing. The use of 3rd party cookies in this manner, however, has been called "behavioral targeting" and many believe that it is an invasion of personal privacy. Organizations and businesses who engage in behavior targeting usually do it surreptitiously, without the individuals' permission, and with the cooperation of the users' Internet Service Providers (ISPs). This ongoing research proposes a market solution that will allow informed users to participate in the collection and reselling of their own personal information including compensation to users for allowing their browsing behavior and personal information to be tracked. The market premise is that there is significant value created by firms who track, analyze, and sell Internet users' browsing activity. Businesses, such as marketing firms like DoubleClick, will be willing to pay for that information supporting compensation to users and ISPs. Technologies and the economic foundations exist to support the functioning of this type of information market which will be sustained by existing demand for information, as well as by the voluntary participation of individuals and ISPs. If the market is created, behavioral targeting does not have to be an invasion of privacy, but instead a mutually beneficial business transaction between willing participants.

Paper: A Framework for Information Security Performance Management
Authors: Basil Hamdan & Gurpreet Dhillon , Virginia Commonwealth University

Several studies have been conducted to develop frameworks for planning and managing information security in organizations. In contrast, very little research has looked at evaluating the effectiveness of information security management. This paper attempts to fulfill this need by proposing a balanced scorecard framework for the strategic planning and performance evaluation of information security management. Research suggests that information security is a multi-dimensional endeavor and that all dimensions must work together to create a secure information systems environment. Acknowledging the multi-dimensionality of information security and the various value propositions of different organizational constituents, we argue that for organizations to maximize the value of their information security effort, they should strike a balance between four interrelated strategic information security objectives pertaining to the four perspectives of the balanced scorecard: (a) maximize the value of the management, (b) maximize the value of the internal and external customers by supplying information security services that match their demand and value propositions, (c) create a security climate and ultimately a security culture in the organization, and (d) maintain the integrity of business processes as defined by business units. The proposed balanced scorecard will provide organizations with guidelines to allocate their scarce resources so as to achieve their various security objectives with the ultimate objective of maximizing information security.

Session 3: Distributed Security
Chair: Arun Lakhotia , University of Louisiana at Lafayette
Title: Federated Role-based Access Control in Exertion-oriented Programming
Authors: Satish Vellanki & Michael Sobolewski , Texas Tech University
Time: 3:00pm - 4:00pm

Federated computing environments expose lots of resources in order to serve their clients, which include system services, domain-specific services, and distributed file systems. A flexible and coordinated mechanism to control access to these resources is proposed which allows participants to form themselves into collaborative groups and secure access is granted to group members. Then, the participants can make resources available to a named group and manage locally the members in the group with required permissions across multiple domains. We explain how the proposed approach focused on user's local namespace is used in exertion-oriented programming and in particular in a SORCER federated file system where members of a group or delegated services can securely fetch any file replica that is available to a named group from any byte store service.

Paper: IDKEYMAN: An Identity-Based Key Management Scheme for Wireless Ad Hoc Body Area Network
Authors: Sriram Sankaran , Mohammad Iftekhar Husain , & Ramlingam Sridhar , University at Buffalo, SUNY

Wireless Ad hoc Body Area Networks are primarily used in health-care applications for patient monitoring purposes. Security in these networks has raised significant interest among the research community due to the privacy-critical medical data, requiring light-weight solutions to comply with the stringent resource constraints of individual body sensors. In this work, we consider publisher (medical sensors attached to patients) - subscriber (doctors or caregivers) driven Body Area Networks since it is an enabling technology for pervasive medical sensor network systems. We propose a key management scheme using Identity- Based Encryption (IBE), since it facilitates faster key set-up, in addition to being lightweight and energy-efficient. IBE s used to set up pair-wise symmetric keys to be shared between publishers and their corresponding subscribers to ensure data confidentiality and integrity. We have prototyped our scheme using a wireless sensor network simulator (Prowler) for evaluating the proposed model and related mechanisms. A comparison of our results with other approaches demonstrates the efficiency of our scheme.

June 4, 2009

Web Application Security

Five Common Mistakes in Securing Web Applications
Lars Ewe
Cenzic
Intermediate
IT Directors, Project Managers, Programmers, Information Security Professionals, Executives, CIOs, Non Technical Managers, Technical Staff, Web Developers
Time: 10:15am - 11:15am

Many organizations lack an overall sense of the best practices for deploying and securing web applications. Despite security practices aimed addressing vulnerability types present within the OWASP and WASC threat classifications, a number of common mistakes are still being made. We will look at five common mistakes that are made when securing web applications and the impact that these design flaws on the overall security of an application. Issues such as client-side trust relationships, failure to properly secure application redirection mechanisms, and other design and configuration elements that can quickly undermine the security of an application, even when diligent security practices are in place. This presentation will provide a discussion of how many severe vulnerabilities in web application can be introduced by design and architectural-level choices, resulting in application vulnerabilities even when the core OWASP and WASC security issues have been addressed. Solutions and recommend best practices for avoiding these mistakes will also be provided.

Goal - Help the audience understand that securing a web application requires attention to best practices in addition to vulnerability assessment and remediation. o Why is this problem interesting - It is still not well understood that particular design and architecture choices can introduce logical and workflow level vulnerabilities in web applications that are difficult to detect and quite serious if not addressed.

• Vulnerability-centric thinking vs. best practices.
• What are the common types of attacks against web applications.
• What common mistakes that organizations make when securing web applications? The impact of these mistakes upon the security of the application.
• Approaches to solve the problem
• Conclusions

Rooting out the Bad Actors
Alex Lanstein
Fire Eye
Intermediate
Computer Forensic Specialists, IT Directors, Network Administrators, System Administrators, Information Security Professionals, Technical Staff
Time: 11:30am - 12:30pm

Considering the remarkably small number of data centers that host services for those groups who operate the most sophisticated malware and botnets on the Internet, it's surprisingly difficult to detect and stop the illicit activities of these bad actors. Why? Discussion will include popular obfuscation tactics, hosting, and resiliency models. Extensive research findings and case studies will be shared to illuminate key points and discuss malware and botnet hosting activity.

How to Keep Your Organization's Web Applications Safe from Cyber Attacks
Jon Ramsey
SecureWorks
Advanced
Computer Forensic Specialists, IT Directors, Network Administrators, System Administrators, Project Managers, Programmers, Information Security Professionals, CIOs, Technical Staff, Web Developers
Time: 1:30pm - 2:30pm

Web applications are one of the fastest growing vectors of Internet attacks. After analyzing the attack data of its 2,000 clients, SecureWorks, one of North America's leading information security service providers, has found that over 80% of all cyber attacks target web applications. Additionally, the Web Application Security Consortium (WASC) just published a report showing that no less than 500,000 websites were compromised in 2008 due to web application attacks. Not only are attackers going after sensitive information stored on your website's databases but they are increasingly targeting your website customers.

This presentation will discuss how your organization can secure its web applications with a defense-in-depth approach that minimizes risk. The presentation will begin by outlining the current web application threats and vulnerabilities. It will then take audience members through the critical steps of a defense which include: implementing a secure software development lifecycle process, validating the web application source code through automated and manual analysis, and putting defenses, such as web application firewalls, log monitoring and database intrusion prevention systems and firewalls, in place so as to detect and prevent current and future web application attacks.

Hacked while Browsing. Using the Web to Spread Malware
Brian Ford
Cisco Systems
Intermediate
IT Directors, Network Administrators, System Administrators, Project Managers, Programmers, Information Security Professionals, Auditors, Lawyers, Executives, CIOs, Educators, Non Technical Managers, Technical Staff, Law Enforcement Personnel, Web Developers
Time: 2:50pm - 3:50pm

Each year sees an increase in the volume and sophistication of security threats on the Internet. The authors of so-called "malware" continue to discover and develop more sophisticated exploits and methods to generate and propagate more malicious code such as key loggers and system monitors. Many of these infections are occurring through the end users use of the browser. Criminals are both creating sites within the single intention of spreading malware and well as hacking legitimate websites or using Email to send spam and phishing with links to malicious websites. These methods have resulted in up to 50 percent of corporate desktop computers infected with some sort of malware. Global organized crime gangs profit from these activities through illegal drug sales, spam, bank fraud, identity theft, and corporate espionage. To effectively combat these threats, those responsible for the security of companies need to educate their user communities and assess solutions that have strong capabilities in protecting web access and email. The best defense is a solution whose security database spans both web and email threats. Attendees learn how infections can occur, the potential risks of an attack, and how organizations can prepare to confront these threats.

PCI & Privacy issues

PCI-DSS Standards
Bob Russo
PCI Standards Council
Intermediate
Computer Forensic Specialists, IT Directors, Network Administrators, System Administrators, Information Security Professionals
Time: 10:15am - 11:15am

Bob Russo, the first general manager of the PCI Security Standards Council, will review the Council's history, community meetings and organizational structure during this session. He will review PCI DSS 1.2 Standards and why they are necessary. The session will also go over the new trainings and resources that are available through the council and how to become involved with the PCI Standards Council.

Effectively Become Compliant and Build Awareness in Your Organization
Jerry Hughes
Lighthouse IT Compliance Group
Non-Technical
All
Time: 11:30am - 12:30pm

Discussion:

Mr. Hughes will review background leading to PCI Data Security Standard and the latest NYS legislation. He will discuss Data Security Standard requirements and present some case studies. Finally Mr. Hughes will provide cost effective approaches to becoming compliant.

Are You Prepared for Data Loss
Christopher Novak
Verizon Business
Intermediate
IT Directors, Network Administrators, System Administrators, Project Managers, Information Security Professionals, Technical Staff
Time: 1:30pm - 2:30pm

The costs of data breaches and data loss continue to escalate and can be measured by lawsuits, and civil and regulatory penalties. Breaches can trigger an obligation to notify impacted customers, leading to the erosion of customer confidence. The potentially serious consequences of data loss are making data protection a management priority. Learn data loss prevention strategies on:

• Data classification and data discovery
• Architecture design
• Technology implementation
  

Real forensics case studies and examples will be used to demonstration challenges and solutions.

PII: Taming the Beast
Todd Feinman
Identity Finder, LLC
Intermediate
Educators, IT Directors, Network Administrators, System Administrators, Information Security Professionals, Auditors, Executives, CIOs, Non Technical Managers, Law Enforcement Personnel
Time: 2:50pm - 3:50pm

Thousands of organizations use Personally Identifiable Information (PII) and other confidential information for business processes. With identity theft on the rise, legislation has been enacted to control access to this sensitive data. Despite an organization's best efforts, many of the traditional approaches to protecting PII and preventing data leakage have proven insufficient. The presenter will discuss two generalized case studies with different approaches on two organizations' surprising journeys through managing their PII. The benefits of a centralized versus decentralized approach will be addressed while discussing methodologies used and lessons learned. The session is intended to be interactive.

Threat Report

Microsoft Security Intelligence Report, Volume 6, Covering the Period July to December 2008
Jimmy Kuo
Microsoft
Depends on audience
IT Directors, Network Administrators, System Administrators, Information Security Professional
Time: 10:15am - 11:15am

Jimmy Kuo will be speaking on the key findings from the latest semi-annual Microsoft Security Intelligence Report. Volume 6 of the Microsoft® Security Intelligence Report provides an in-depth perspective on software vulnerabilities (both in Microsoft software and in third-party software), software exploits, and malicious and potentially unwanted software observed by Microsoft during the past several years, with a focus on the second half of 2008 (2H08). The Report also contains new information on browser-based exploits, popular document format exploits, and updated information on security and privacy breaches.

Examining the Government's Threat Landscape
Marc Fossi
Symantec Corporation
Intermediate
All
Time: 11:30am - 12:30pm

This presentation will focus on the current Internet threat landscape and what network-based attacks are plaguing government organizations - particularly examining fraud, vulnerabilities, and malicious code, as well as phishing and spam activity. Marc Fossi will share with participants recent findings of the Symantec Internet Security Threat Report, paying special attention to the government portion of the report - which focuses on data for federal, state and local government agencies. Respected as an authoritative and independent source of up-to-date threat data and trends, the Symantec Internet Security Threat Report provides information needed to help consumers; enterprises and public sector organizations effectively secure their systems. As editor of the report, Fossi will be able to provide greater understanding of these threats and share best practices for protecting your agency and mitigating the threats that can jeopardize your proprietary information. Participants will walk away with a greater understanding of the Internet threat landscape, and a greater confidence in understanding and mitigating network-based attacks.

2009 Security Threat Predictions
Dave Marcus
MCAFEE AVERT LABS
Intermediate
All
Time: 1:30pm - 2:30pm

What were the drivers for threats for 2008? What will be the driving factors of 2009? How will the economic downturn affect cybercrime? Will we have more Facebook threats or will it all be about USB malware? These questions and more will be discussed and answered during this 2009 Security Threat Predictions session.

SAFETY Act and You
Bruce Davidson
U.S. Department of Homeland Security
Non-Technical
All
Time: 2:50pm - 3:50pm

Our program provides important liability protections to sellers of effective anti-terrorism technologies, which include cyber security technologies. These protections also extend to their customers.

Cyber security is an area of great emphasis for us this year, as we are actively seeking to significantly increase the number of cyber security technologies that apply for the benefits offered by our program. Relevant applications for our program would include such technologies as: process control systems security, information system threat detection and mitigation technologies, secure IT technologies and systems (particularly those that would protect the operations at critical infrastructure sites, such as power plants, chemical plants, and financial institutions), secure database systems, forensic IT solutions, IT system vulnerability assessments, etc.

Frameworks for Success

The NYS Office of the State Comptroller's Data Classification Initiative --Part II
Slawomir Marcinkowski
NYSTEC and NYS Office of the State Comptroller Team
Non-Technical
IT Directors, Information Security Professionals, Auditors, Executives, CIOs, Non Technical Managers, Technical Staff
Time: 10:15am - 11:15am

The classification of information is the basis for many security decisions within an organization and its business units. By classifying information, an organization is able to apply appropriate administrative, physical, and technical controls to protect information in a cost-effective and continuous manner. The New York State Office of the Comptroller (OSC) has developed a data classification schema that incorporates a set of controls for each classification level throughout the organization. The presentation will provide an updated case study of how data classification is implemented at OSC. The processes and tools developed and used in OSC's data classification task will be reviewed with the audience, including the establishment of a data classification team and steps to accomplish the classification.

Secure Systems Development Framework
Manny Morales , NYS Office of the State Comptroller and
Deborah Snyder , NYS Office of Temporary and Disability Assistance
Intermediate
IT Directors, Project Managers, Programmers, Information Security Professionals, CIOs, Non Technical Managers, Technical Staff, Web Developers
Time: 11:30am - 12:30pm

Applications have evolved from existing within a relatively secure and confined environment with limited users and processing capabilities, to web-facing, interactive applications that are can perform sensitive transactions, access vast amounts of data, and are accessible to millions of people worldwide. As applications have evolved and expanded in use, so too have the associated complexities, vulnerabilities and risk they can potentially introduce to an agency's information assets. By following a Secure Systems Development Life Cycle (SSDLC) Framework utilizing threat and risk assessments, data classification, application code review and vulnerability scanning, security testing, application certification/accreditation, and established configuration and change control measures, an agency can deploy secure applications that mitigate risk to an agency's information assets. The objective of the SSDLC Framework is to identify and mitigate information security-related threats, vulnerabilities and the risk that applications can potentially pose to an agency's information resources, by ensuring development activities follow a process to ensure application security is properly considered and addressed from the planning stage throughout the system development life cycle.

Network Security

Securing Unified Communications and Voice over IP
Ken Kaminski
Cisco Systems
Advanced
Computer Forensic Specialists, IT Directors, Network Administrators, System Administrators, Project Managers, Programmers, Information Security Professionals, Technical Staff
Time: 1:30am - 2:30pm

Securing Unified Communications and Voice over IP Design Seminar contrasts traditional telephony security models with an updated and more modern one designed for the IP world. Threats are analyzed and a three stage unified communications security level model is presented. Enterprises and integrators can choose from among the basic, intermediate, and advanced models the one that best fits their risk profile. Each level is broken down in detail to show which features and what equipment to deploy as best practices. The seminar is deep technically and designed for those who design, install, operate, and manage Unified Communications and data networks. Topics include:

• Switch Security Features
• VLAN separation Related QoS features
• Router features
• Host Intrusion Prevention Technology Server hardening
• Call Control and UC Applications Server Security features
• Certificates and PKI
• Toll Fraud Prevention
• Firewalls for Voice and Video
• Voice Signaling Encryption Voice Encryption
• Secure Remote Access

Controlling Access & Admission with NAC
Lucas Cammarata
Cisco
Intermediate
Educators, IT Directors, Network Administrators, System Administrators, Project Managers, Information Security Professional, Auditors, Lawyers, Executives, CIOs, Non Technical Managers, Technical Staff, Law Enforcement Personnel
Time: 2:50pm - 3:50pm

Early implementations of Network Admission Control provided simple pre-connect access control. The value to a customer was straightforward - the NAC solution monitored devices for security compliance prior to being able to attach to the network, minimizing the potentially malicious impact of a non-compliant device. In the past 5 or 6 years, NAC has become a key solution for any organization wanting to enforce perimeter control, and while valued at $4-500M today, Gartner expects the market to grow to close to $800M by 2012, due to both increased awareness of the value of NAC solutions and the broadening of the NAC concept itself.

However, the growth potential of the NAC market has been eroded by customer confusion surrounding the breadth of issues that NAC solutions potentially address. With dozens of available NAC suppliers, each claiming to provide guest networking services, posture/ containment, remediation, comprehensive reporting, and sophisticated policy-driven environments, customers must now determine which NAC solutions address the particular issues that they face, both today and in the future.

This session will provide an overview of the NAC market, clearly identifying the incremental layers of value for customers. The range of solutions available will be discussed in the context of both the issues they address, as well as some of the challenges that their implementation will impose. By the end of the seminar, customers will not only understand the type of NAC implementation they require, but the resources they will need to implement the solution, and the migration paths available to them as their needs evolve as well.

Internet Security

Securing The Perimeter: A Public-Private Sector Discussion on Cyber Security
Darin Andersen , Chief Operating Officer, ESET
Perry Blanchard , Albany County
Thomas Duffy , Deputy Director, NYS Office of Cyber Security and Critical Infrastructure Coordination
Matthew Eggers , Manager, National Security and Emergency Preparedness Department, U.S. Chamber of Commerce
Carlos Kizzee, Director, Strategic Initiatives, Critical Infrastructure Cyber Protection and Awareness, National Cyber Security Division, U.S. Department of Homeland Security
Alan MacQuoid , Associate, Booz Allen Hamilton
Non-Technical
All
Time: 10:15am - 11:15am

Business leaders must not overlook the importance of cyber security as a national concern and policy issue. Last year, federal prosecutors cracked one of the largest cyber crime operations ever committed. They charged nearly a dozen people from five different countries with identity theft and credit card fraud. Also, U.S. members of Congress reported that hackers gained access to Congressional office computers over a period of several months. Both incidents, and several others more recently, indicate a need for greater urgency to protect U.S. communications and information systems.

The U.S. Chamber of Commerce and the U.S. Department of Homeland Security have been visiting several cities in recent months to increase businesses' awareness of, and investments in, cyber security from an enterprise risk management perspective. The Chamber-DHS partnership allows leading experts from federal, state and local government, and industry to bring cyber security practices to the wider business community.

Through its network of state and regional partners, Chamber is coordinating grassroots outreach to business owners and operators and incorporating participation from government stakeholders. In short, the partnership aims to increase greater awareness of the potential consequences from a cyber attack, and to underscore the importance of integrating cyber security into enterprise risk management, emergency management, and business continuity planning, preparedness, and training initiatives.

Are you Googling Your Privacy and Security Away?
Raj Goel
Brainlink International, Inc.
Non-Technical
All
Time: 11:30am - 12:30pm

This presentation addresses how various services offered by Google can become a threat to your companies' privacy and confidentiality policies. It deals with Google's capabilities to capture and aggregate information with or without user knowledge. Special attention is given to Google's key offerings such as:

• Google Searches,
• GMail, GMail Mobile,
• Orkut,
• Google Toolbar,
• Google Desktop,
• Android,
• Google Health Platform, and
• the Chrome Browser.

Introduction to the Cloud Security Alliance
Dov Yoran
MetroSITE Group/Cloud Security Alliance
Non-Technical
ALL
1:30pm -2:30pm

Cloud Computing is a rapidly growing phenomenon that promises to increase availability and scalability of data and performance while driving down costs of these functions.

With these benefits there are numerous security considerations that must be addressed. The Cloud Security Alliance provides a guiding framework for those responsible for security an organization's information. This non technical discussion will outline steps one should consider when moving to the cloud.

A Hands-On Introduction to Web Application Security
Brian Reilly
Intermediate
Computer Forensic Specialists, IT Directors, Network Administrators, System Administrators, Project Managers, Programmers, Information Security Professionals, Auditors, CIOs, Educators, Non Technical Managers, Technical Staff, Web Developers
Time: 2:50pm - 3:50pm

Web application security testing is a key part of an organization's overall strategy for vulnerability assessment, risk management, and a comprehensive information security program. Industry analysts and computer criminals agree -- many mission-critical web applications are vulnerable to attack, often hold sensitive data, and can lead to a costly response process if compromised. This session will provide a hands-on introduction to web application security and explore several free Open Source assessment tools. Attendees are encouraged to bring a laptop with a VMware image or bootable CD of the OWASP live CD: ( www.owasp.org/index.php/Category:OWASP_Live_CD_Project ).
A limited number of CDs will be available at the session.

Executive Issues

The Cost and Consequences of Unprotected Data
Dr. Larry Ponemon
The Ponemon Institute
Non-Techincal
All
Time: 10:15am - 11:15am

This session will provide the results of several recent empirical studies conducted by Ponemon Institute that show the economic and ethical impact of unprotected confidential or sensitive information on both business and government organizations. In addition to research findings, Dr. Ponemon will provide high level recommendations that organizations should implement to mitigate or reduce salient cyber security risks.

The Security Challenges of Electronic Voting Systems
Rob Zeglen & Nils Ekberg
NYSTEC
Intermediate
Computer Forensic Specialists, IT Directors, System Administrators, Project Managers, Programmers, Information Security Professionals, Auditors, Lawyers, Executives, Technical Staff, Law Enforcement Personnel
Time: 11:30am - 12:30pm

Since the 2000 Presidential Election, the media has been buzzing with reports of voting fraud and problems with electronic voting systems. The Help America Vote Act (HAVA) of 2002 mandated a change in the way most Americans exercise one of their most important and fundamental rights. In response to HAVA, relatively simple mechanical machines and punch-card readers have been replaced with a variety of high-tech alternatives. What used to be a more transparent and somewhat well understood process of counting votes has become a major problem-as electronic systems with no voter verifiable audit trail have been deemed unsecure. This presentation will focus on the challenges of designing, testing and using electronic voting systems to conduct secure and transparent elections. The presentation will take you through a brief history of voting system technologies and their evolution to the current state. The presenters will attempt to separate fact from fiction and explain the very real challenges of securing electronic voting systems. Topics covered will include some notable security failures, how the National Institute of Science and Technology (NIST) and the Election Assistance Committee (EAC) are enhancing testing guidelines, and some of the unique voting security challenges faced from both a system design and testing and verification standpoint. Lessons learned from voting system security work will be shared as they are applicable to IT systems in general.

Risk Management

The Security Challenges: Risk = Threat x Vulnerability x Impact
Harry Regan
Verizon Business
Advanced
IT Directors, Network Administrators, System Administrators, Project Managers, Information Security Professionals, Auditors, CIOs, Mainframe Administrators, Technical Staff
Time: 1:30pm - 2:30pm

Security Management should be a critical component of business operations. It is important to remember that many regulations and standards affect not only the governments as well as businesses within a specific industry, but also partners and providers of those businesses and governments who may themselves have a different industry classification. With many businesses finding themselves required to comply with multiple standards and regulations, maintaining adequate security can be a complex and (many fear) costly undertaking. It should be further noted that effective information security cannot be achieved through single, point-in-time security assessments. Rather, to achieve true security, it is paramount that you implement an ongoing information security program which incorporates people, processes, and technology to address your enterprise-wide business operations and that you employ appropriate measurements to manage and improve program effectiveness on a continual basis. In this presentation, Verizon Business will review important aspects of Risk Assessment and Mitigation, as well as Audit. By employing a security management program (SMP), based on ISO 27001-based security controls, SMP addresses security at all layers of your enterprise including: Process and Procedure Validation, Policy Review, Physical Inspection, External (Internet-facing) Environment, Internal (LAN and DMZ) Environment, Wireless Environment, and Desktop Environment.

Information Security Risk Management
Manny Morales
NYS Office of the State Comptroller
Intermediate
IT Directors, Project Managers, Programmers, Information Security Professionals, Auditors, Executives, CIOs, Educators, Non Technical Managers
Time: 2:50pm - 3:50pm

Risk assessment may be the most important step in the risk management process for Information Security, and may also be the most difficult to execute and prone to errors. Once risks have been identified and assessed, the steps to properly deal with them are much easier to follow. One of the biggest issues facing many organizations is the lack of knowledge about when a security risk assessment is to be conducted and how to begin the process. Traditionally, performing a risk assessment has been perceived as a major task that is time consuming and costly. The process often took months to complete. Results often given to management was confusing, convoluted, and did not explain properly the business risk and how to mitigate that risk. At times, in-house expertise was overlooked requiring the hiring of consultants lacking the background in risk management. Using a structured approach, and developing an efficient and disciplined process, performing the risk assessment does not have to be such an agonizing and ineffective process. This session will show you how.

Symposium Track

Session 4: Information Assurance
Chair: Boleslaw Szymanski, Rensselaer Polytechnic Institute
Paper: On optimal AV System strategies against obfuscated malware
Authors: Anshuman Singh1, Bin Mai2, Arun Lakhotia1 & Andrew Walenstein1
1 University of Louisiana at Lafayette 2 Northwestern State University, Natchitoches
Time: 10:15am - 11:15am

Many Anti-Virus (AV) Systems are heterogeneous compositions of components, with each component specially tuned to work on a certain class of threat. Each component may have individually tunable parameters and different performance characteristics. No general theory is known for composing such components and assigning their individual parameters in order to ensure optimal resistance to attack. A particularly important question is posed by the possibility of obfuscated malware, which may fool the system into using different components. This paper introduces a framework for modeling composite AV Systems as classifiers wired together using selectors. It then uses game theory to analyze possible attacks. According to the game analysis, using a selector is beneficial only when the cost of developing obfuscated malware to game it is above a certain threshold. Further, the AV System is always better off by configuring its detection components so as to deter attackers from developing obfuscated malware, and this can be achieved by decreasing the detection rate of the classifier designed specifically for that class of malware, and increasing the detection rate for the classifier designed for clean files.

Paper: A Brief Letter on Reasoning about Information Assurance using the Semantic Web
Author: Stephen F. Bush , GE Global Research Center

This is a brief letter outlining speculative ideas for semantic web reasoning about information assurance. Much work has been done on the development of semantic web applications for reasoning about information assurance. A significant portion of this work is focused upon semantic web ontologies and reasoning about security policies and the underlying implementation of those policies. While numerous semantic web-based security policy ontologies and reasoners exist, both academically and commercially, I will briefly focus on ideas related to solutions to the problem of managing semantic web rules using algorithmic information theory.

Session 5: Invited Talk
Chair: Daniel O. Rice , Loyola College
Title: Social and Behavioral Approaches to Information Assurance
Speaker: H.R. Rao , University at Buffalo, SUNY
Time: 11:30am - 12:30pm

Information Assurance (IA) concerns operations that protect information systems by ensuring availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of systems by incorporating protection, detection, and reaction capabilities. Much of the information assurance literature is technical in nature. However, it is important that use of technology must be shaped by social policies and legal and ethical issues. This talk will focus on social and behavioral issues in Information Assurance and touch on topics such as risk, quality of information, prospect theory, social engineering, psychology of response and reaction. Real life caselets will be used to illustrate concepts.

Session 6: Authentication
Chair: Shobha Chengalur-Smith, University at Albany, SUNY
Title: Re-evaluating Single Sign-On System Design Risks: An Activity Theoretic Approach
Speaker: Manish Gupta , Kranti Banala & Raj Sharman , University at Buffalo, SUNY
Time: 1:30pm - 2:30pm

SingleSign-On (SSO) Systems provide users the convenience of authenticating once and accessing multiple applications and systems without having to provide credentials again. Organizations across industries have extensively started to deploy single sign on systems in their environment that is poised to improve productivity, reduce complexity, improve user convenience, facilitate business and improve compliance to security policies. While single sign on systems have shown to provide much economic benefit, there are inherent risks that derive from the fact that in SSO environment, only one password or one set of authentication factor is needed. This creates a situation typically understood as 'single-point of failure'. The risk that if the single sign-on password is breached then all of the applications covered under SSO are exposed. Our research explores various factors and characteristics of systems and applications that will guide and inform organizations to secure their environments by de-coupling certain systems or having multiple single sign-on systems (minimal set) based on the application and SSO system characteristics. We use activity theory principles to understand how applications should be categorized to design SSO systems. The research develops a process guided by activity theory to unravel some of the hidden design tenets that should guide SSO deployments.

Paper: Bridging Research and Practice: Secure Data Management in the Classroom
Authors: Richard Savacool & Rajendra K. Raj , Rochester Institute of Technology

In recent years, information security and assurance has received considerable attention from the computing community, with universities revamping course offerings in areas such as cryptography, network security, enterprise systems security, secure coding, and digital forensics. Although it is an important aspect of overall information systems security, secure data management has received less attention than it deserved. This, however, has not been the case at the university where a course in secure database systems has been offered continuously since 2003. The course has undergone revisions over the years, and most recently, it was converted to be an online course. For the past several years, the authors have worked in the area of information security from different perspectives. The first author, who has over a decade's practical experience in security in computer systems and holds several industry security certifications, recently took the secure database systems course at RU as a student. The second author, who is the faculty member at RU who developed and teaches the secure database systems course, previously worked as a software developer and manager in the financial services industry working with secure, persistent distributed computing systems. This case study discusses the existing secure database systems course at RU and shows how research and practice can be blended to create an effective course in secure data management.

Session 7: Roundtable: Forensics Education
Time: 2:50pm - 3:50pm

Panelists:
Fabio Auffant, NY State Police
Cristian Balan , Champlain College
Sean Smith , NY Prosecutors Training Inst.

The field of computer and digital forensics is changing rapidly and our dependence on computers and network is increasing. Techniques from computer and digital forensics are being used not only for investigating crime, but also for auditing systems as well as for recovery of lost data. Computer and digital forensics involves data not only from computers, but also from servers, networks, and mobile devices. The needs of the public sector workforce are growing as the demand for such expertise increases within existing IT departments and new forensics divisions are created in agencies. However, they are competing with the private sector, which often lure prospective employees with better salaries. Knowledge of computer and digital forensics has become a necessary component of any IT specialist, but due to the changing environment, it is also important to adapt by continuing to learn new tools and techniques.

Back by popular demand from last year, this round-table features a panel of experts who will discuss the challenges faced by educators/trainers, law enforcement, and prosecution in terms of training, retraining, and retaining a computer and digital forensics capable workforce. It will also cover novel ways to ensure continuous training to security and forensics professionals. The panelists at the round-table come from law enforcement, prosecution and academia and each brings their unique perspectives to the discussion.